Hi, I was trying to find information regarding da...
# generala
A
05/04/2022, 12:51 PMHi, I was trying to find information regarding data collection. Do you perhaps have any information about that? And maybe osquerys take on GDPR?
a
alessandrogario
05/04/2022, 1:04 PM
Is this maybe more like a fleet management solution question (about maybe audit logs, and things automatically acquired on user machines)? osquery itself is just a data collection tool and what you acquire depends on what kind of queries are being run and where (a server, a personal machine, or a company laptop)
alessandrogario
05/04/2022, 1:05 PM
You may also have extensions installed that include additional capabilities not covered by the core tables
a
A
05/04/2022, 1:15 PMI was thinking of, if I download the app on a mac does my data that is collected end up in the cloud or such? π
a
alessandrogario
05/04/2022, 1:16 PM
It is up to you or the person that configures osquery
alessandrogario
05/04/2022, 1:16 PM
It does not send anything anywhere on its own
alessandrogario
05/04/2022, 1:17 PM
osqueryiosqueryd -Salessandrogario
05/04/2022, 1:17 PM
osqueryda
A
05/04/2022, 1:17 PMPerfect! Thank you for the info!
fyi. @Daniel_
a
alessandrogario
05/04/2022, 1:17 PM
but sensitive data (if any) is likely in the results log, and that depends on what queries are running
alessandrogario
05/04/2022, 1:18 PM
queries are run from query packs, from adhoc queries (through a fleet management solution, such as Kolide or fleetdm)
a
A
05/04/2022, 1:18 PMWe are looking for an alternative for sysmon but for Mac!
a
alessandrogario
05/04/2022, 1:19 PM
from distributed queries (also from fleet management solution), and from the extension socket (other osquery shells connecting to it, or osquery extensions providing additional functionality)
alessandrogario
05/04/2022, 1:19 PM
it all requires configuration, and the admin deploying osquery should probably know what is happening in the deployment
a
A
05/04/2022, 1:20 PMAwesome!
a
alessandrogario
05/04/2022, 1:20 PM
I don't think osquery can replace sysmon, but the endpoint security based tables could provide some of the same features
a
A
05/04/2022, 1:21 PMi mean sysmon does not work for mac only windows.. we just want to see the same data in splunk for mac clients
a
alessandrogario
05/04/2022, 1:22 PM
You can see what can be gathered from endpoint security here: https://osquery.io/schema/5.2.2/#es_process_events
alessandrogario
05/04/2022, 1:23 PM
I know that file integrity monitoring (also based on endpoint security) is being worked on (@sharvil is the main dev on these two)
alessandrogario
05/04/2022, 1:24 PM
There are other, older tables, based on openbsm; I am not sure whether they are still working right now but i think the API is being deprecated
alessandrogario
05/04/2022, 1:24 PM
If we are talking about process events, you could capture things in the parameters that could be considered private information
alessandrogario
05/04/2022, 1:25 PM
For FIM, you would be looking at files opened, which would also I think fall in the same category
alessandrogario
05/04/2022, 1:25 PM
I am not an expert on GDPR, I think you need consent from the users and possibly you can only store that data within Europe
alessandrogario
05/04/2022, 1:26 PM
I think you need to talk to a lawyer to be sure, and not trust documentation as a precaution
a
A
05/04/2022, 1:26 PMSince the company own the employees computer, we're allowed to collect data. Such as what is being searched on and what people do on their computer.
a
alessandrogario
05/04/2022, 1:29 PM
I think it depends potentially on what the computer is doing; if it's handling GDPR-protected data (like customer data for example) it's still in scope for GDPR laws
a
A
05/04/2022, 1:29 PMyes indeed
a
alessandrogario
05/04/2022, 1:29 PM
Meaning: a company laptop may end up leaking GDPR-protected data while the employee performs their duty (like: opening personal records, etc)
alessandrogario
05/04/2022, 1:30 PM
So i still suggest to talk to a lawyer
a
A
05/04/2022, 1:30 PMyes π
s
seph
05/04/2022, 1:34 PM
As Alessandro said, osquery itself does nothing. It is a tool for structured data collection.
The osquery foundation does not maintain any central osquery logging. We are not a vendor that provides that service. (Though many of us do work for vendors that do)
How osquery is configured is very site specific. Both in terms of what data is collected, how itβs handled, and how thoughtful people are about the privacy implications.
seph
05/04/2022, 1:35 PM
Speaking as a Kolide employee (eg: a vendor), we aim to be very transparent and user focused in our data collection. I would refer you to https://honest.security for our discussion about these issues.
j
Jason
05/04/2022, 1:37 PMAs @seph said, since osquery is just a tool (and not a service) - the GDPR implications are entirely dependent on the implementation of of the service, or on the IT/engineering team implementing osquery. Standalone - as a downloadable binary, it has zero GDPR implications.
a
A
05/04/2022, 1:51 PMπ
18 Views